SCA: security update for tar (GHSA-r6q2-hw4h-h46w)

medium Tenable Self-Hosted Container Security Plugin ID 436849

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This
is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-
insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested),
the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel.
This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race
conditions. The library uses a `PathReservations` system to ensure that metadata checks and file
operations for the same path are serialized. This prevents race conditions where one entry might clobber
another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability
affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode
normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly
preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode
collision with `ss`)). This enables an attacker to circumvent internal parallelization locks
(`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version
7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's
behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`.
As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to
extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend
against arbitrary file writes via this file system entry name collision issue. (CVE-2026-23950)

Solution

Update the tar library and its related packages to version 7.5.4 or later.

See Also

https://github.com/advisories/GHSA-r6q2-hw4h-h46w

Plugin Details

Severity: Medium

ID: 436849

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/21/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.72

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.2

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2026-23950

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/21/2026

Vulnerability Publication Date: 1/20/2026

Reference Information

CVE: CVE-2026-23950